Microsoft Exchange Server Hack: How to Protect Your Organisation

Vulnerabilities in Microsoft Exchange Server are being exploited by cybercriminals. Here’s what you need to know about the Microsoft Exchange Server hack and how to protect your organisation.

Security experts are in crisis mode again as another significant vulnerability has appeared on the cyber threat landscape. No sooner had the dust seemingly settled on the recent SolarWinds hack than news came of a new vulnerability, this time affecting Microsoft Exchange Server, which has the potential to cause serious damage to organisations throughout the world.

In this blog we’ll explore the new Microsoft Exchange Server hack: what is it, who is exploiting it, what you should do to protect your organisation, how you can be sure you haven’t been compromised already, and what the risk is to your supply chain.

Let’s get started.

What is the Microsoft Exchange Server Hack?

In early-January 2021, Microsoft was made aware of four critical vulnerabilities in a number of its Exchange Server products. These vulnerabilities impact on-premises versions of Exchange Server 2013, 2016 and 2019 but not Exchange Online.

The vulnerabilities discovered are as follows:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability allowed the attacker to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If the attacker could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server.

Note: details taken from Microsoft’s security blog here.

The net result of these vulnerabilities is that hackers have the ability to use them to execute remote commands on an Exchange Server. Despite Microsoft releasing patches to address the vulnerabilities on 2nd March 2021, hackers have had a two month window to exploit the vulnerabilities – even longer for those organisations that have yet to patch.

As we’ll learn in the following section, they have done exactly that.

Who is Exploiting the Hack?

The group you’ve probably heard about in relation to the Microsoft Exchange Server hack is Hafnium. Hafnium is a state-sponsored advanced persistent threat (APT) group from China, and Microsoft describes them as a “highly skilled and sophisticated actor”.

According to Microsoft, “Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States.”

More concerning to many organisations, however, is the fact that the Microsoft Exchange Server hack is actually a relatively straightforward one to execute. The FBI and CISA have released an updated advisory saying that nation states and cybercriminals are exploiting the vulnerability, which should be of concern as it could be used to plant ransomware, conduct destructive attacks such as data wiping, or steal data to sell on criminal forums.

So, something that all organisations should take seriously. What should you do to minimise your exposure today?

What Should I Do to Protect My Organisation Now?

If you have an on-premises version of Exchange Server 2013, 2016 or 2019, you need to patch it. Immediately. Patching the server will remove the vulnerability and prevent hackers from exploiting it to launch a cyber-attack on your organisation.

There’s a nuance here that’s worth exploring, though, and that’s the benefit of using software as a service (SaaS) applications rather than on-premises versions. As we stated earlier in this blog, Exchange Online wasn’t affected by this vulnerability.

However, if it had been an advantage of SaaS is that the vendor (in this case Microsoft) issues patches automatically as soon as they are released. This means you don’t have to patch manually, and minimises the window during which your organisation is vulnerable.

If you choose to invest in Microsoft cloud services, you’ll be leveraging the company’s $1 billion of annual investment in the latest cyber security technology and best practices. Microsoft truly is at the forefront of the cyber security revolution: every second, Microsoft gathers hundreds of gigabytes’ worth of telemetry, and this is brought to bear in it’s hyper secure Microsoft 365 and Azure offerings.

Something to consider. On that window though, even if you patched on 2nd March there were still a whole two months during which you were vulnerable to the Microsoft Exchange Server hack. How can you establish if you have already been compromised?

How Can I Be Sure I Haven’t Already Been Compromised?

Our secure cloud experts have put together the following recommended steps to take to mitigate exposure and identify any indicators of compromise related to the Microsoft Exchange Server vulnerabilities. If you need support running through them, we can support you for a one-off fee – just email cyberclinic@6dg.co.uk.

Note: all scripts must be run as an administrator on each Exchange Server, regardless of whether a cluster set up is in place.

  1. Run NMAP Scan to determine if the Exchange Server is vulnerable: https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse
  2. Patch vulnerable servers to the recommended versions
  3. Run scripts recommended by Microsoft: https://github.com/microsoft/CSS-Exchange/tree/main/Security (this link guides through the process of running scripts to identify indicators of compromise)
  4. Review the script output for indicators of comprise, which should give confirmation if the server was compromised
  5. In order to discover potential indicators of lateral movement across your infrastructure, which could further indicate compromise, the scripts below explore Active Directory (AD) for the creation or modification of Local Users and Groups: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617241(v=technet.10)?redirectedfrom=MSDN
    1. In PowerShell: $DateCutOff=(Get-Date).AddDays(-30) – (this will take today’s date and effectively add -30 days to it)
    2. To find newly created users: Get-ADUser -Filter * -Property whenCreated | Where {$_.whenCreated -gt $datecutoff} | FT Name, whenCreated -Autosize
    3. To find modified users: Get-ADUser -Filter * -Property whenChanged | Where {$_.whenChanged -gt $datecutoff} | FT Name, whenChanged -Autosize

Again, cyberclinic@6dg.co.uk is the address to email of you need support in running through these steps. Once completed, you will have identified potential compromises within your environment. But what about your suppliers, if they’re running Exchange Server 2013, 2016 or 2019?

What About My Suppliers? Is There a Supply Chain Risk?

Short answer, yes. The slightly longer answer though is that your organisation has never been more reliant on supply chains to deliver products and services to your end users. Whether it’s sourcing parts from suppliers, outsourcing functions like finance or marketing, or working with logistics firms to transport your products around the world, your supply chain is critical to your operational integrity.

Hackers know this, and will actively target organisations in your supply chain in order to disrupt your operations and gain a foothold into your environment. And even if they don’t target you through your supply chain, any disruptions to your suppliers resulting from a cyber-attack can cause significant collateral damage to you as a result.

Here are four straightforward steps you should take to understand and mitigate your supply chain risk:

  • Survey your supply chain to gain a complete picture of the suppliers your organisation works with.
  • Establish the key suppliers in your supply chain on which you rely most heavily, or who are most integrated with your organisation.
  • Contact these key suppliers and ask them if they use Exchange Server 2013, 2016 or 2019 to establish if they are at risk.
  • If they do, ask them to confirm how they have mitigated this risk.

You may well work with suppliers that integrate with and have access to you network. Pay special attention to these suppliers, as any compromises they suffer can project directly into your network and act as a launchpad for ransomware and business email compromise (BEC) attacks.

A BEC attack is, broadly speaking, a type of phishing email. What makes it so dangerous is its targeting and sophistication. BECs are most commonly targeted at individuals responsible for handling money within organisations, and through carefully thought out methods their aim is to trick the individual into transferring money to an offshore bank account.

BEC attacks require diligence to address, as they often use sophisticated social engineering to convince victims to part with their money. Part of your supply chain considerations should include diligence around suppliers you make payments to, ensuring processes are in place to double- and triple-check that every payment made is legitimate.

By establishing your supply chain risk, you can further minimise your exposure to disruption as a result of the Microsoft Exchange Server hack.

Reduce the Risk to Your Organisation

The Microsoft Exchange Server hack is something that all organisations should take seriously – even those that don’t run the affected versions of Exchange Server. In this blog we’ve provided an overview of how to minimise the associated cyber risk your organisation faces.

At Six Degrees we have the expertise and the experience to deliver tailored solutions that will enhance your organisation’s cyber security posture. But before we start, we always want to understand your organisation and where you are on your own cyber security journey. That’s why we offer a cyber security assessment that will give us – and you – the knowledge and tools to roadmap the next steps of your journey. Schedule a call if you want to learn more.

Our new Threat Flash is compiled by our Cyber Intelligence Team to update you on ransomware that has been observed actively exploiting the Microsoft Exchange Server vulnerability. The report provides details of the ransomware attacks, along with suggested mitigation steps to protect your organisation.

Subscribe to the newsletter today

Related posts

Exploring the Cyber Security Landscape in Early-2021

Exploring the Cyber Security Landscape in Early-2021

Lockdown introduced new threat vectors for organisations in…

SolarWinds Hack Explained: Understand the Implications and Reduce the Risk to Your Organisation

SolarWinds Hack Explained: Understand the Implications and…

A newly-discovered cyber-attack has reached headlines as it…